Network-Enhanced Control Of Software Updates Received Via Removable Computer-Readable Medium

ABSTRACT

Methods, apparatuses, and systems for network enhanced controls of software updates received via a computer-readable medium are described. A first computer may load data representative of an image of a software stack from a removable computer-readable storage medium. A task sequence of instructions for installing the data representative of the image of the software stack at the first computer may be requested from the first computer to a second computer. The first computer may receive the task sequence, and may access the task sequence to retrieve the instructions for installing the data representative of the image at the first computer.

RELATED APPLICATION

This application claims priority from U.S. Provisional PatentApplication Ser. No. 61/259,379, filed Nov. 9, 2009, entitled, “NetworkEnhanced Controls of Software Updates Received Via Computer-ReadableMedium,” the contents of which are hereby incorporated by reference inits entirety.

BACKGROUND

Service providers such as banks and other financial institutionstypically provide self-service financial transaction devices (SSFTDs)such as automated teller machines (ATMs) for use by their customers.While the SSFTDs provide a useful service to the customers, there is asignificant burden imposed on the service provider to maintain andupgrade the SSFTDs. This burden becomes nearly overwhelming in the caseof large institutions, which may have thousands upon thousands of SSFTDsdistributed across thousands of miles.

When periodically upgrading the software on the SSFTDs, the serviceprovider may often need to upgrade all of the SSFTDs within a shortwindow of time, so that, for instance, all of the SSFTDs provide aconsistent user experience. The SSFTDs are commonly interconnected by anetwork, however providing upgraded software to all of the SSFTDs overthe network may not be practical or economical due to typical networkbandwidth limitations.

Even if a software upgrade is eventually provided to the SSFTD, theupgrade usually involves a complex installation sequence, performedlocally at the SSFTD, which is prone to error and therefore not reliablyrepeatable over a large number of machines. Potential errors are evenmore likely where a human service operator is involved in locallymanaging the installation sequence at a given SSFTD.

SUMMARY

Aspects as described herein are directed to methods, apparatuses,systems, and software for providing a potentially more effective way todistribute software, and updates thereto, to a plurality of SSFTDs. Thismay be done in a variety of ways depending upon the significance of theupdate. For instance, a reference, or master, software stack may bebuilt at a reference machine and imaged, and then the imaged stack issent to the SSFTDs. The SSFTDs then use the local image to generate astack on their own local hard drives or other computer-readable media.Where updates are minor (e.g., involving a small number of softwarecomponents in the stack), then only the updated installation componentsmight be sent. Where the updates are larger, a delta patch file may besent that may be utilized by the SSFTD in conjunction with the previousversion of the locally-stored stack image to produce the updated stack.

To allow for the SSFTD to handle the received image, received deltapatch file, and/or installation component updates independently withoutnecessarily requiring a human service operator local to the SSFTD, stillfurther aspects are directed to the SSFTD including a computer-readablemedium, such as a hard drive, that includes a logically-protectedregion, such as a protected folder or partition. The logically-protectedregion may store the installation components and any instructions(referred to herein as a task sequence) for using the image, the deltapatch file, and installation components. A memory-resident (e.g.,RAM-resident) operating system may also be stored in thelogically-protected region.

The installation instructions may be provided to the SSFTD in the formof one or more various task sequences, depending upon the type ofupgrade or installation to be performed. These task sequences may beprovided from the reference machine along with the image, the deltapatch file, and/or installation components. Still further aspects aredirected to automatically and programmatically generating the tasksequences by a computer (such as the reference machine) that analyzes aplurality of uniformly-formatted manifests describing the changes to thesoftware stack components and uses the manifests to generate the tasksequences.

Still further aspects are directed to at least three types of tasksequences that may be sent to an SSFTD: a re-imaging task sequence (forinstalling a stack from scratch from an image, such as where the harddrive on the SSFTD is brand new); an incremental task sequence (forinstalling component upgrades to an existing SSFTD software stack; and acumulative task sequence (for installing a stack from scratch from animage and subsequently installing any component upgrades to that stack).These task sequences may be separate task sequences or they may becombined into a single longer task sequence with various logical entrypoints into the sequence depending upon whether a re-imaging,incremental, or cumulative process is desired at the SSFTD.

As discussed above, the SSFTD may store these images, delta patch files,the task sequence(s), and a memory-resident operating system in thelogically-protected region of the hard drive. Still further aspects aredirected to, when installing a new stack from an image at an SSFTD(which may or may not include one or more supplemental delta patchfiles), erasing the hard drive except for the logically-protectedregion, and then rebuilding the software on the erased portion of thehard drive using the information and instructions stored in thelogically-protected region.

The above upgrades may be propagated to the SSFTDs by way of a networkor by way of a local install by a human service operator, such as usinga removable computer-readable medium (e.g., a USB stick or disk). In thelatter case, it may be problematic if the version of the upgrade on theremovable medium is not up to date. For instance, the removable mediummay be left over from an upgrade that took place much earlier in time,or it may contain an upgrade copied from a physically proximate otherSSFTD that may or may not have the most recent upgrade. Therefore,further aspects are directed to providing version control of new imageinstalls that may be provided from a removable medium.

These and other aspects of the disclosure will be apparent uponconsideration of the following detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete understanding of the present disclosure and thepotential advantages of various aspects described herein may be acquiredby referring to the following description in consideration of theaccompanying drawings, in which like reference numbers indicate likefeatures, and wherein:

FIG. 1 is an illustrative functional block diagram of a self-servicefinancial transaction device (SSFTD) 100;

FIG. 2 is an illustrative functional block diagram of a system includinga plurality of SSFTDs and a service provider interconnected via anetwork;

FIG. 3 is an illustrative functional block diagram showing three waysfor a reference stack and/or updates thereto to be propagated to adestination SSFTD;

FIG. 4 is a flow chart showing an illustrative process for building areference stack and propagating stack updates and task sequences toSSFTDs;

FIG. 5 is another flow chart showing an alternative illustrative processfor building a reference stack and propagating stack updates and tasksequences to SSFTDs;

FIG. 6 is a flow chart showing illustrative functions that may beinstructed by a task sequence for use by an SSFTD;

FIG. 7 illustrates an example of a reference software stack associatedwith a reference machine;

FIG. 8 illustrates an example of a core configuration of a destinationmachine, such as an SSFTD;

FIG. 9 illustrates an example of a stack configuration in a destinationmachine;

FIG. 10 illustrates an example where an incremental change to thesoftware stack of a destination machine is performed;

FIG. 11 illustrates an example where a cumulative change to the softwarestack of a destination machine is performed;

FIG. 12 illustrates an example of the changes that may be made at areference machine that are representative of the desired changes to bemade at a destination machine;

FIG. 13 illustrates an example where implementation of large-scalechanges to the software stack of the destination machine, based upon thechanges made to the reference machine, is performed;

FIG. 14 is an example flowchart of a method for installing a new versionof a software stack at a destination machine;

FIG. 15 illustrates an example system for authorizing an image stored ona removable memory source;

FIG. 16 is an example flowchart of a method for authorizing loading of anew version of a software stack image onto a destination machine;

FIG. 17 illustrates an example system for loading an image from aremovable memory source onto a destination machine;

FIG. 18 is an example flowchart of a method for loading an image from aremovable memory source onto a destination machine;

FIG. 19 is an example flowchart of a method for accessing a current tasksequence for a destination machine to execute;

FIG. 20 is an example flowchart of a method for installing a new versionof a software stack at a destination machine;

FIG. 21 is another example flowchart of a method for installing a newversion of a software stack at a destination machine;

FIG. 22 is a flow chart showing illustrative steps in a process that maybe performed to prohibit remote observation of a transaction inprogress;

FIG. 23 is a functional block diagram showing an example of how a deltapatch file may be created from two images;

FIG. 24 is an example flowchart of a method for generating a delta patchfile at a reference machine;

FIG. 25 is an example flowchart of a method for installing a delta patchfile at a destination machine;

FIG. 26 is another example flowchart of a method for generating a deltapatch file at a reference machine; and

FIG. 27 is another example flowchart of a method for installing a deltapatch file at a destination machine; and

FIG. 28 is a functional block diagram showing an example of how a deltapatch file may be generated, distributed, and utilized from a referencemachine to a destination machine.

DETAILED DESCRIPTION

FIG. 1 is an illustrative functional block diagram of a self-servicemonetary device (SSFTD) 100. SSFTD 100 may include, for instance, anautomated teller machine (ATM) or automated kiosk for depositing and/orwithdrawing monetary amounts. While the withdrawals are typicallyprovided to the user of the SSFTD 100 as currency, the deposits may bein the form of currency or checks.

SSFTD 100 as shown in FIG. 1 includes a computer 101, a hard drive 102or other computer-readable medium, a deposit unit 103, a withdrawal unit104, a display 105, a printer 106, a camera 107, a network interface108, a removable media interface 109, and a safe 110. Although computer101 is labeled as a “computer,” any one or more of the other functionalblocks in FIG. 1 may also be or include a computer. As understood, SSFTD100 may include one or more computers 101, hard drives 102, depositunits 103, withdrawal units 104, displays 105, printers 106, key pads107, network interfaces 108, removable media interfaces 109, and safes110.

The term “computer” as referred to herein broadly refers to anyelectronic, electro-optical, and/or mechanical device, or system ofmultiple physically separate or physically joined such devices, that isable to process and manipulate information, such as in the form of data.Non-limiting examples of a computer include one or more personalcomputers (e.g., desktop or laptop), servers, smart phones, personaldigital assistants (PDAs), television set top boxes, and/or a system ofthese in any combination or subcombination. In addition, a givencomputer may be physically located completely in one location or may bedistributed amongst a plurality of locations (i.e., may implementdistributive computing). A computer may be or include a general-purposecomputer and/or a dedicated computer configured to perform only certainlimited functions.

A computer typically includes hardware that may execute software and/orbe configured in hardware to perform specific functions. The softwaremay be stored on a computer-readable medium in the form ofcomputer-readable instructions. A computer may read thosecomputer-readable instructions, and in response perform various steps asdefined by those computer-readable instructions. Thus, any functionsattributed to any of the functional blocks of FIG. 1 as described hereinmay be implemented, for example, by reading and executing suchcomputer-readable instructions for performing those functions, and/or byany hardware subsystem (e.g., a processor) from which the computer iscomposed.

The term “computer-readable medium” as used herein includes not only asingle physical medium or single type of medium, but also a combinationof one or more physical media and/or types of media. Examples of acomputer-readable medium include, but are not limited to, one or morememory chips, hard drives (e.g., hard drive 102), optical discs (such asCDs or DVDs), magnetic discs, and magnetic tape drives. Acomputer-readable medium may be considered part of a larger device or itmay be itself removable from the device. For example, a commonly-usedremovable computer-readable medium is a universal serial bus (USB)memory stick that interfaces with a USB port of a device.

A computer-readable medium may store computer-readable instructions(e.g., software) and/or computer-readable data (i.e., information thatmay or may not be executable). In the present example, acomputer-readable medium (such as memory) may be included in any one ormore of the functional blocks shown in FIG. 1 and may storecomputer-executable instructions and/or data used by any of thosefunctional blocks. Alternatively or additionally, such acomputer-readable medium storing the data and/or software may bephysically separate from, yet accessible by, any of the functionalblocks shown in FIG. 1.

Where SSFTD 100 is an ATM, computer 101 is typically embodied as apersonal computer. In this example, computer 101 may be responsible forthe overall control of SSFTD 100. To perform such control, computer 101may execute, for example, one or more software applications, one or moredevice control programs, and one or more operating systems, each ofwhich may be stored on hard drive 102, which may be a single physicalhard drive or multiple physical hard drives. These various elements willbe discussed in further detail below.

Hard drive 102 may be a single physical hard drive unit or may includemultiple physical hard drive units. Rather than, or in addition to, harddrive 102, SSFTD 100 may store data and/or computer-executableinstructions on one or more other types of computer-readable medium,such as an optical disc drive, a magnetic tape drive, and/or memorychips.

Deposit unit 103 may be responsible for physically receiving depositeditems such as currency and checks, for physically counting the depositeditems, for physically holding the deposited items in an escrow areaduring a deposit transaction, for determining the value of the depositeditems, and for physically transferring the deposited items to safe 110when the transaction is complete. Such deposit units 103 are well-knownand often used in many ATMs today.

Withdrawal unit 104 may be responsible for physically retrievingcurrency or other items from safe 110 during a withdrawal transaction,and for physically providing the retrieved currency to the user. Suchwithdrawal units 104 are well-known and often used in many ATMs today.

Display 105 may be responsible for displaying a visual user interface tothe user, and may also incorporate a touch screen capability forreceiving user input. Typical information that may be presented ondisplay 105 includes text and/or graphics representing the status of atransaction. Likewise, printer 106 may be responsible for presenting apaper printout containing information about a transaction. Again, thesetwo elements are often found in conventional ATMs.

Key pad 107 may include one or more buttons, switches, and/or otherphysical user input elements, and may be responsible for receiving userinput associated with a transaction. For example, key pad 107 mayinclude digit keys zero through nine and other function keys.

Network interface 108 may be responsible for data communication betweenSSFTD 100 and a network 112. The communication may be uni-directional orbi-directional. Network 112 may be a single network or combination ofmultiple coupled networks, and may be wireless and/or wired. Examples ofnetwork 112, or portions thereof, include the Internet, a cellulartelephone network, a cellular data network, a wired or wireless localarea network, and a satellite communication network.

Removable media interface 109 may be responsible for reading from and/orwriting to a removable computer-readable medium 111, such as a USB key,a compact disc (CD), a floppy magnetic disc, or a portable hard drive.Removable media interface 109 may therefore include a physical port forplugging in or otherwise temporarily receiving removablecomputer-readable medium 111. This port may be physically part of, forinstance, the housing of computer 101. However, the port may be locatedelsewhere in or on SSFTD 100, such as on a rear housing of SSFTD 100that may be accessible to maintenance servicers of SSFTD 100 but notnecessarily to the general public. Regardless of the location of theport, data read from removable computer-readable medium 111 by removablemedia interface 109 may be provided to computer 101, and data providedby computer 101 may be written by removable media interface 109 tocomputer-readable medium 111.

FIG. 2 shows an illustrative system including network 112, a pluralityof SSFTDs 100A, 100B, 100C, and a service provider 201 that may includeat least one reference machine 700. Service provider 201 may be anentity that is responsible for the software maintenance of SSFTDs100A-C. Service provider 201 may be, for example a bank or otherfinancial institution, or it may be purely a software maintenanceentity.

Reference machine 700 may be located at or otherwise be under thecontrol of service provider 201, and may be embodied as one or morecomputers. In one example, reference machine comprises a computerincluding a hard drive for storing a software stack that is built atreference machine 700. The software stack stored at reference machine201 may be used as a master software stack that is propagated to one ormore of SSFTDs 100A-C. As will be described in further detail, thisreference software stack, and updates thereto, may be propagated toSSFTDs 100A-C in any of a number of ways. For instance, where thesoftware stack is to be propagated to one of the SSFTDs for the firsttime or is intended to completely replace any software stackrepresentation at the SSFTDs, then the software stack may be imaged, andthe image of the software stack is sent to the SSFTDs rather than theindividual components of the software stack. This may reduce theopportunities for errors to occur while installing the software stack atthe SSFTDs, because rather than a large number of installation commandsfor the various components, only a relatively simple set of installationcommands may be needed to unpack the image into a software stack at theSSFTDs.

Where the reference software stack undergoes a major change (e.g.,version 1.0 to version 2.0), another way that this change may bepropagated to the SSFTDs is to send a delta patch file representing onlythe change. As will be described in further detail, because the SSFTDsmay retain a copy of the original software stack image, this propagationmay be accomplished by imaging a combination of the software stack priorto the change and the software stack after the change into a singlecombined image, then imaging only software stack prior to the change,and then determining a delta (difference) between the combined image andthe before-change-only image. This delta may be embodied in a file,referred to herein as a delta patch file. At the SSFTD end, this deltapatch file may be utilized in combination with the stored pre-changefull software stack image at the SSFTD to generate a working newsoftware stack.

On the other hand, where the updates to the software stack are ratherminor (e.g., version 1.2 to version 1.21), then the new or addedsoftware components (and/or their installers) may be sent to the SSFTDs.

Reference Software Stack

As previously discussed, whether generating an image file on a referencemachine or receiving an image at a destination SSFTD, such as an ATM,one or more aspects of the present disclosure are directed to anoriginating (reference) software stack created at reference machine 700,a representation of that reference stack (e.g., an image) or changesthereto being sent to one or more destination SSFTDs, and creating orupdating a software stack locally at the destination SSFTDs based on thesent representation and/or based on a representation already storedearlier at the destination SSFTDs.

FIG. 7 illustrates an example of a reference software stack 731associated with reference machine 700. In generating a software stack731 at reference machine 700, one may begin with a core, which in thisexample includes a processor, hard drive 721, power supply, and otherhardware components 711. An identical or similar core may also reside oneach of the SSFTDs 100A-C.

First, the reference machine may boot into a memory-resident (e.g.,RAM-resident) operating system, such as Win PE. Next, the referencemachine 700 may create the reference software stack by being providedwith installers for all software components either to be installed oravailable for installation. These installers may be retrieved from, forinstance, a network shared volume. In addition, an instruction sequencemay be fetched, such as from the network shared volume. The instructionsequence may be, for instance, an extensible markup language (XML) filethat identifies the specified software components to be installed for asoftware stack on the reference machine, the order of the installationof the various components, and the installation commands themselves.This instruction sequence used to build the reference stack will bereferred to herein as the reference stack task sequence.

Reference software stack 731 may be an amalgam of various softwareinstallation packages within various logical layers. The specifiedsoftware components to be installed for reference software stack 731 maygenerally fall, in this example, within one of three layers: anoperating system layer 737, a device management layer 735, and anapplication layer 733 that may include miscellaneous softwareapplications to support maintenance, software distribution, monitoringand security, such as but not limited to APTRA software provided by NCR.

One or more of these layers may originate from one or more differentvendors and/or internal development teams of the entity utilizing thesoftware stack. Each layer may be comprised of multiple applications orcomponents, some of which are designated by a lowercase letter (733 b,735 f, 737 c) in FIG. 7 by way of example.

The root layer may be the operating system layer 737 that the referencemachine 700 will boot into at launch and operate in for normalconditions. Various patches, including security patches, may be separatesoftware components, such as 737 b, for installation purposes. In oneexample, the first software components for installation on a referencemachine 700 may be the operating system and any current patches thathave been issued by the manufacturer, these would be 737 a, 737 b, 737c, etc. Windows XP by Microsoft Corporation is one example of anoperating system, and any of a variety of software patches thatMicrosoft Corporation releases for the Windows XP operating system maybe additional software components that are part of the operating systemlayer 737.

The next layer for installation in the ordered sequence may be thesoftware components associated with the device control or devicemanagement layer 735. A device control layer 735 includes softwarecomponents that provide the functionality required to control alldevices associated with the SSFTD to which the stack will eventually bepropagated. The device control layer 735 may be or include, forinstance, Extensions for Financial Services (XFS), a programminginterface commonly used for controlling associated peripheral devices inan ATM. Where the SSFTDs are ATMs, the associated peripheral devices maybe, for example, an access card reading system, the security camerasystem, the check deposit system, the cash dispenser system, etc, and/orany of the devices described above in connection with FIG. 1.

Application programming interfaces (API) may be also provided in thedevice management layer 735. When a vendor has a new device for anassociated peripheral device, such as a new access card reader, thevendor provides an API that adheres to a standard for the device controllayer ensuring that the new device can slide in to operation without acumbersome retrofit. As such, for the various devices involved, thedevice control layer 735 may include one or more software components 735a, 735 b, 735 c, 735 d, etc.

The next layer for installation may be the application layer 733. Theapplication layer 733 may include, for example, software components forexecution of business logic and presentation of user interfaces to anend customer, as well as ancillary software, such as third party supportand diagnostic software. Software for monitoring the machine may not bean application for an end user within the application layer and, assuch, may be resident within an ancillary software layer separate fromthe application layer 733.

FIG. 7 illustrates various software components of the layers 733, 735,737. For each respective layer, there may be multiple softwareinstallation packages or components. The order of installation of layersas well as the order of installation of specified software packageswithin a layer may be defined by the reference stack task sequence.

For any particular destination SSFTD, the software stack on that SSFTDmay also need to include customization due to the specific hardware thesoftware stack is to be interacting with. For example, the name of thecomputer in the SSFTD, security identifiers, and driver cache are butthree examples of data that may be included in the software stack.However, such information may not be already included in the referencestack at the reference machine, because these examples of data would bedifferent for each SSFTD. As such, it may be desirable to insteadgeneralize the reference stack image to remove such identifiers, such asusing SysPrep, to prepare the image for distribution to multipledifferent machines. The generalized stack then may be migrated to theSSFTDs for loading and subsequent customization.

Software Stack on SSFTD

FIG. 8 illustrates an example of a core configuration of a destinationmachine 800, such as one of the SSFTDs 100A-C. FIG. 8 illustrates adestination machine that has yet to have any type of executable softwarestack for normal operation. FIG. 8 illustrates a destination machinethat lacks a general purpose operating system. Destination machine 800is shown to include a core, which in this example is a motherboard withhard drive 821, power supply, and other hardware components 811. Sincethe core does not yet have an operating system to launch into yet, thecore may be configured to boot into a RAM resident operating system. WinPE by Microsoft Corporation of Redmond, Wash. is one such example RAMresident operating system.

Hard drive 821 of the destination machine 800 also may include alogically protected region 851. This logically protected region 851 maybe physically separate from other data storage locations of thereference machine 800 or it may be a defined area of the hard drive 821that is protected from an operation to clean the remainder of the harddrive 821. Logically protected region 851 of the hard drive 821 providesthat when a command to clean the remainder of the hard drive 821 isexecuted, logically protected region 851 is not erased, modified, oraffected. Only the portion of hard drive 821 that is not logicallyprotected would be cleaned. As such, logically protected region 851 maymaintain data that will not be inadvertently removed from the hard drive821. As described herein, logically protected region 851 of destinationmachine 800 may store an image 891 (or multiple images), installercomponents, and installation instructions (also referred to herein as atask sequence) as received from reference machine 700 via network 112,as well as the RAM-resident operating system.

Whether received at the destination machine 800 electronically vianetwork 112, or received physically, such as by use of a USB storagedevice transfer into removable media interface 109, image 891 mayrepresent a generalized software stack migrated to the destinationmachine from reference machine 700. Image 891 may be, for example, oneor more file-based disk image format files, such as one or moreMicrosoft Windows Imaging Format (WIM) files, that represent a softwarestack desired to be loaded onto the destination machine 800, i.e.,software stack 731 generated at the reference machine 700. Other imagingtechnologies, such as sector based image technology in Ghost by Symatecof Cupertino, Calif. and products by Acronis, Inc. of Woburn, Mass. alsoand/or alternatively may be used. Having received the image 891 nowstored in the logically protected area 851 of hard drive 821 on thedestination machine 800, an executable software stack may be createdonto the non-protected area of the hard drive 821 as described below andas shown in FIG. 9.

FIG. 9 illustrates an example of the destination machine 800 from FIG.8, such as an ATM or other type of SSFTD, with an operational softwarestack 931 currently in place. The operational software stack 931 mayhave been built from the image file 891 maintained in the logicallyprotected region 851 of the hard drive 821.

The software image 891 in the logically protected region 851 then mayhave been applied to the hard drive 821 by copying the software stack tothe hard drive 821. Associated peripheral devices of the destinationmachine 800 then may have been operationally connected to the operatingsystem within the software stack 931. Finally, the destination machine800 may have been configured/personalized for the machine in question,such as serial numbers and other data for devices and componentsincluded. Destination machine 800 in FIG. 9 is shown to include the corewith hard drive 821, and other hardware components 811.

Because software stack 931 was created from the image 891 (which in turnwas created from the reference stack generated at the reference machine700), the software stack 931 on the destination machine 800 is expectedto be the same software stack as the reference stack (except for anysubsequent customization).

Software stack 931 includes an operating system layer 937, identical tooperating system layer 737, that the destination machine 800 will bootinto at launch and operate in for normal conditions. Various patches,including security patches, may be separately installed as softwarecomponents, such as software component 937 c.

The stack 931 also includes a device management layer 935 identical todevice management layer 735. Device control layer 935 includes softwarecomponents that provide the functionality required to control alldevices associated with the destination machine 800. In the example ofan ATM, the associated peripheral devices may be an access card readingsystem, a security camera system, a check deposit system, a cashdispenser system, etc.

The stack 931 also includes an application layer 933 identical toapplication layer 733. The application layer 933 is designed to includesoftware components for execution of business logic and presentation ofuser interfaces to an end customer utilizing the destination machine800.

The software stack 931 having been installed, and upon customization ofthe stack 931, the destination machine 800 now may operate in normalconditions.

Changes to the Software Stack on the SSFTD

At times, it may be desirous to change the software stack of adestination machine 800. Any of a number of reasons may exist for such achange. For example, a vendor may have a new security patch related to apiece of software that is operating on the destination machine 800. Whenone or more of these particular software package changes are desired,the service provider 201 may want to change the software stack of thevarious destination machines under its control.

Where the change is very large, service provider 201 may generate a newreference stack at reference machine 700 in the same manner aspreviously described, and then have that software stack propagated vianetwork 112 to a destination SSFTD (e.g., SSFTDs 100A-C), such as via adelta patch file sent to the logically protected region of the harddrive of the destination SSFTD.

However, undertaking such a large transfer may not always be desirous,especially where the stack must be transferred to a large number ofdestination SSFTDs, and/or where the changes are smaller, such as only afew software components in the stack being updated. In such a case, itmay be desirable to implement an incremental update. FIG. 10 illustratesan example where an incremental update to the software stack 931 of thedestination machine 800 is performed.

In this example, a software installation package, as well as aninstallation task sequence 1091 describing how to install the softwareinstallation package, has been received by the destination machine 800from the reference machine 700 via network 112, and stored in thelogically protected region 851 of the hard drive 821. The softwarepackage 1091 may be, for example, a new version of a software packagealready being utilized within the software stack 931 of the destinationmachine 800, or a brand new component not previously existing in thestack. The new version may be a security patch or other softwarecomponent. The installation task sequence, also referred to herein asthe incremental task sequence, may be a set of instructions for how toinstall the new software package.

In the example shown in FIG. 10, the incremental task sequence, capturedas an Extensible Markup Language (XML) file, and the software package ofone or more MSI installers utilized by Microsoft Installer by MicrosoftCorporation of Redmond, Wash. The MSI installers may include multiplesoftware updates for changes to the software stack 931. In thisparticular example, only a single change or single software package willbe described, for simplicity. The XML file of the incremental tasksequence and the one or more MSI installers may be wrapped togetherinside a single package 1091, such as by utilizing Tivoli products ofIBM Corporation of Armonk, N.Y.

In the example of FIG. 10, to change the software stack 931 so as toinclude the desired new package 1091, a process for updating thesoftware stack may be performed, as dictated by the incremental tasksequence 1091. For this example, package 1091 will be considered to be anew version of a software package associated with the security camerasystem of the destination machine. To process the change to the softwarestack 931 in accordance with the incremental task sequence 1091, thedestination machine 800 first may be taken out of operation. Such a stepmay not be a physical move of the destination machine; rather, such astep may be a time where a customer of the destination machine cannotoperate the destination machine for some type of self-service financialtransaction.

With the destination machine taken out of operation, the incrementaltask sequence 1091 may specify which software component currently in thesoftware stack 931 to de-install (i.e., the component that is to bereplaced). In the example of FIGS. 9 and 10, software component 933 bmay have been de-installed. Referring momentarily to FIG. 3, the middlerow shows an example of incremental updating, in which reference machine700 propagates both the incremental task sequence 1091 and theinstallation software package to the destination SSFTD via network 112.

Next, the task sequence specifies to re-install the software componentusing the installation component utilizing the installation softwarepackage stored in the logically protected region 851. This result ofthis incremental update is shown in FIG. 10 as software component 933 bhaving been replaced with software component 1033 b. In this example,software component 1033 b is the new version of the camera securitysoftware that was received in the MSI file.

To complete the process, the destination machine 800 is brought backinto operation. Now, when a customer utilizes the destination machine,the stack containing the new software package 1033 b is being executed.

The incremental change to the software stack 931 operation describedwith respect to FIG. 10 illustrates a situation where re-imaging, i.e.,utilizing the stored image file 891 in the logically protected region851, was not needed in order to update the software stack 931 andoperation of the destination machine 800. However, there may besituations where an incremental update is desired in conjunction withre-installing the software stack from the image stored in thelogically-protected region. For instance, the executable version of thestack may be acting unreliably, and so it may be desired to rebuild theentire stack, and then incrementally update that rebuilt stack, fromground up. Such an updating process is referred to herein as acumulative update process.

FIG. 11 shows a cumulative update to apply to the software stack 931. Asmentioned above, a cumulative update accounts for the desire to re-imagethe software stack from the image file 891 maintained in the logicallyprotected region 851 of the hard drive 821. In this example, one or moresoftware packages and a task sequence 1191 with instructions forperforming the cumulative update (also referred to herein as acumulative update task sequence) has already been received by thedestination machine 800 and stored in the logically protected region 851of the hard drive 821. Thus, as shown by way of example in FIG. 3 on thebottom row, only the cumulative update task sequence may need to be sentfrom reference machine 700 to the destination SSFTD, via network 112.

The package 1191 may include a new version of a software package alreadybeing utilized within the software stack 931 of the destination machine800. The new version may be associated with the operating system or someother software component. The task sequence may be a set of instructionsfor how to install the new software package. In the example shown inFIG. 11, the cumulative update task sequence, captured as an ExtensibleMarkup Language (XML) file, and the software package of one or more MSIinstallers utilized by Microsoft Installer by Microsoft Corporation ofRedmond, Wash. The MSI installers may include multiple software updatesfor changes to the software stack 931. In this particular example, onlya single change or single software package will be described, forsimplicity. The XML file of the cumulative update task sequence and theone or more MSI installers may be wrapped together inside a singlepackage 1191, such as by utilizing Tivoli products of IBM Corporation ofArmonk, N.Y.

In the example of FIG. 11, to update the software stack 931 so as toinclude the desired new software package 1191, a process for updatingthe software stack may be performed in accordance with the cumulativeupdate task sequence that includes re-imaging of the software stack andinstallation of any incremental updates. Thus, a cumulative update mayinclude performing (1) installation or replacement of the executablestack from the stack image stored in the logically protected region, and(2) performing an incremental update on the re-installed stack. Thus,the cumulative update task sequence may look very similar to theincremental update task sequence, except that one or more additionalinstructions for erasing the hard drive (except for the logicallyprotected region) and re-installing the software stack from the image,may be included in the cumulative update task.

To process the update to the software stack 931, the destination machine800 first may be taken out of operation. With the destination machinetaken out of operation, the cumulative update task sequence 1191 may beaccessed to determine the manner for installation. As part of theinstructions of the cumulative update task sequence 1191, the hard drive821 may be entirely cleaned except for the logically protected region851. The software image 891 in the logically protected region 851 thenmay be used to install the software stack to the non-logically-protectedregion of the hard drive 821. This re-installation of the stack from thepre-stored image is referred to herein as re-imaging.

As described in more detail herein, the re-imaging of the software stack931 from the image 891 may involve reverting back to a different versionof the software stack than was previously in place. This is becausethere may also be incremental updates that are needed. In reverting backto a previous version of the software stack, the previous version nevermay be seen by a customer because the destination machine may not bebrought into service until such time as all the incremental updates havebeen applied. To accomplish the incremental updates, the sameincremental update process as describe above may be performed.

For instance, the cumulative update task sequence 1191 may specify asoftware component currently in the software stack 931 to de-install. Inthe example of FIG. 11, software component 933 b is shown to have beende-installed. Next, the cumulative update task sequence specifies tore-install the software component utilizing the software package 1191stored in the logically protected region 851 that was previouslyreceived by the destination machine. This change is shown in FIG. 11 assoftware component 1133 b. Software component 1133 b may be a newversion of a software component that was received in the softwarepackage 1191.

To complete the process, the destination machine 800 is brought backinto operation. Now, when a customer utilizes the destination machine,the software stack including the new software package 1133 b is beingexecuted.

In some cases, larger changes may be desired to the software stack. Inthese cases, incremental or cumulative updates may involve a relativelylarge number of installation steps. As previously discussed, the moresoftware installation steps involved, the more chances there are forerror. Thus, it may be desirable to send an image representing theupdated software stack. However, as also discussed above, such an imagemay utilize an unacceptable amount of network bandwidth, especiallywhere the image is propagated to a large number of destination SSFTDs.Thus, as an alternative to sending an image representing the entire newsoftware stack, there is now described a way to send sufficientinformation to build a new software stack while still potentiallysending less information over network 112, i.e., utilizing less networkbandwidth. In particular, a file representing changes, or the delta, toa software stack, may be sent and used as a patch. Such a file used fordelta patching is referred to herein as a delta patch file.

FIG. 12 illustrates an example of the changes made at the referencemachine 700 that are representative of the desired changes needed at thedestination machine 800, utilizing delta patching. FIG. 12 illustrateshow a number of software components within software stack 731 onreference machine 700 have been changed. Again, such changes may bedesired for any of a number of reasons including an entirely newoperating system, new security patches, new associated peripheral devicepatches from third party vendors, a completely new software component toadd all together, etc.

Software stack 731 in FIG. 12 may illustrate an example of a new versionof a software stack to be utilized on a plurality of destinationmachines associated with the reference machine. Prior to the updates tothe software components on the destination machine, the destinationmachine 800 may be implementing a previously received version of thesoftware stack. In this example, the destination machine is implementingversion 1.0 of the software stack. And, in this example, the referencemachine 700 illustrated in FIG. 12 is creating a new version, version2.0, for migration to the destination machine 800.

Image 891, the image associated with version 1.0, may have beengenerated as described above. Similarly, an image may be generated thatis associated with version 2.0, including all the changed softwarecomponents. As described herein, an entirely new image 891 need not betransmitted to the destination machine in order to have it implementversion 2.0. By using delta patching, a delta patch file representingthe differences between version 1 and version 2 may be transmitted vianetwork 112, such as shown in the top row of FIG. 3. This file of thedifferences may be expected to be a smaller file than would an imagefile representing the full new version of the stack.

As part of the process at the reference machine 700, and as shown by wayof example in FIG. 23, a first image (e.g., the image associated withversion 1.0 of the software stack) and a second image (e.g., the imageassociated with version 2.0 of the software stack) may be created fromtheir respective software stacks, and then combined together into acompound image, such as by using known WIM single-instancing features.This compound image thus represents both the “before” version (version1.0 in this example) and the “after” version (version 2.0 in thisexample) of the stack.

Once the compound image is created, a differencing of the compound imageand an image of the “before” stack (in this example, version 1.0) isperformed, which results in a delta patch file that represents thedifference between the first and compound images. Such a comparison maydetermine the software components that are common or shared between thetwo versions, and may be performed by differencing software such as thecommonly-known Xdelta tool. This process of file-by-file comparison mayutilize binary delta differencing.

As a result of the delta patching process, two items may be generated.First, the delta patch file representing the difference between theversion 1.0 image and the compound image. Second, information referredto herein as a metadata catalog may be generated for use with the deltapatch file. This metadata catalog may be separate from or may beincluded as part of the delta patch file. Additionally, where themetadata catalog is part of the same delta patch file, the metadatacatalog may or may not be logically separate from the remainder of thedelta patch file, e.g., from the portion of the delta patch filerepresenting the actual changes in the files. The metadata catalog mayidentify, on a file by file basis, the correlation between a particularfile as part of a software component and a version. For example, forthree different files, the metadata catalog may indicate that file A isassociated with version 1.0 only, file B is associated with both version1.0 and version 2.0, and that file C is associated with version 2.0only. As such, a construct may be created that separately identifiescommon files to both versions, e.g., file B above, and files unique toversion 1.0, e.g., file A above, or version 2.0, e.g., file C above.

As a result, an entire new image need not necessarily be propagated toeach and every destination machine that needs a major change to itsresident software stack. The delta patch file, including or in additionto the metadata catalog file, and a task sequence for utilizing thedelta patch file, may be the only information sent over network 112 tothe destination machine(s). Because this delta patch file does notnecessarily represent common portions between the resident versionoperating on the destination machine and the new version, the deltapatch file sent to the destination machine may be expected to containless information, and thus likely be smaller in size than would an imageof the entire new version of the software stack. Thus, the overall timeand resources to change the software stack on the destination machinemay be lessened in comparison to completely transmitting a new image ofthe entire software stack for the new version.

Returning to FIG. 12, software stack 731 may illustrate an example of anew version, e.g., version 2.0, of a software stack to be utilized on aplurality of destination machines 800, associated with the referencemachine 700, that are operating under a different version, e.g., version1.0. In this example, the new version 2.0 software stack includesdifferent software components that are only part of version 2.0.

In the example of FIG. 12, software components 1233 b, 1235 f, and 1237c may be software components that are only associated with version 2.0.The other software components, such as 733 g, 735 a, and 737 e, may besoftware components that are common to both version 1.0 and version 2.0.Finally, although not shown in FIG. 12 since the software stack 731 inFIG. 12 is associated with version 2.0, software components 733 b, 735f, and 737 c, in FIG. 7, may be software components that are onlyassociated with version 1.0.

With the new version 2.0 in the software stack 731 of the referencemachine, a delta patch file 1291 may be created to account for thedifferences between version 1.0, currently operating on the destinationmachines, and version 2.0, the desired version to be operating on thedestination machines. As previously noted, delta patch file 1291 mayinclude a metadata catalog to identify the files of the softwarecomponents that are associated with version 1.0 only, those associatedwith version 2.0 only, and those that are common to both version 1.0 andversion 2.0. Thus, delta patch file 1291 in this example includes thefiles of software components associated with version 2.0 only, sincethey would not have been included in the original version 1.0 image 891,and the metadata catalog identifying the association of all files.

Delta patch file 1291 may then be transmitted from reference machine 700to the associated destination machines, such as destination machine 800in FIG. 13, via network 112 for loading and implementation of the newversion 2.0 of the software stack 931. A task sequence includinginstructions for using the delta patch file 1291 to update the stacklocal to the destination machine, may also be generated and sent using asoftware deployment infrastructure, e.g., IBM's Tivoli distributionframework. FIG. 13 illustrates an example where implementation of alarge scale change to the software stack 931 of the destination machine800 based upon the changes made to the reference machine in FIG. 12 isdesired.

Similar to the description of FIG. 8, the delta patch file 1291 may bemaintained in the logically protected area 851 of the destinationmachine 800 in addition to the previously-stored stack image and anyother previously-stored delta patch files. As previously described,logically protected region 851 of the hard drive 821 provides that whena certain command to clean the hard drive 821 of the destination machine800 is executed, logically protected region 851 is not erased, modified,or affected. Only the portion of hard drive 821 that is not logicallyprotected would be cleaned. Of course, the entire hard drive includingthe logically protected region could be erased if truly desired.

However, because logically protected region 851 is not normally erasedin the situations described herein, logically protected region 851 maymaintain data that will not be expected to be normally removed from thehard drive 821. In the example of FIG. 13, logically protected region851 maintains original image 891 that represents the original softwarestack for version 1.0. It is also the current version of the softwarestack 931 operating on the destination machine 800.

Having received the delta patch file 1291 now stored in the logicallyprotected area 851 of hard drive 821 on the destination machine 800, thepatch may be applied to the software image 891 to recreate a compoundimage file that now contains both versions 1.0 and versions 2.0 of thesoftware stack. Having recreated the compound image in protected region851, the new software stack may be created onto the destination machine800. The destination machine 800 may have cleaned the hard drive 821,except for the logically protected region 851. Either version 1.0 orversion 2.0 of the software stack that is contained within the compoundimage may now be copied to the erased disk for the purpose of creatingthe software stack 931 on the hard drive 821.

Associated peripheral devices of the destination machine 800 then mayhave been operationally connected to the operating system within thesoftware stack 931. The destination machine 800 may have beenconfigured/personalized for the machine in question, such as serialnumbers and other data for devices and components included. The deltapatch file 1291, associated task sequence, and metadata catalog mayadditionally be utilized for installation of the newest version 2.0 ofthe software stack. The delta patch file 1291 is used earlier to updatethe image to the compound variant that contains both versions 1.0 and2.0 of the software stack. Once the image file has been updated to thecompound image, then both variants of the software stack are availablein the compound image and which of the two is installed is captured inthe task sequence.

In the example of FIG. 13, to change the software stack 931 so as toinclude the desired delta patch file 1291, a process for changing thesoftware stack may occur. For this example, delta patch file 1291 mayinclude the software components associated with version 2.0 for thesoftware stack of the destination machine. As described above, a deltapatch file updates the image file contained in 891 to contain a compoundimage containing versions 1.0 and 2.0. Then during execution of theinstallation task sequence, the appropriate version is used to installthe destination software stack 931. To process the change to thesoftware stack 931, the destination machine 800 first may be taken outof operation. Such a step may not be a physical move of the destinationmachine; rather, such a step may be a time where a customer of thedestination machine cannot operate the destination machine for some typeof self-service financial transaction.

With the destination machine taken out of operation, the task sequencefor installation 1291 may be accessed to determine the manner forinstallation. In one example, the task sequence may specify the softwarecomponents currently in the software stack 931 to de-install. In theexample of FIG. 13, software components 933 b, 935 f, and 937 c, mayhave been de-installed.

Next, the task sequence may specify to re-install the softwarecomponents utilizing the software package 1291 stored in the logicallyprotected region 851 that was previously received by the destinationmachine 800. This change is shown in FIG. 13 as software components 1333b, 1335 f, and 1337 c. To complete the process, the destination machine800 is brought back into operation. Now, when a customer utilizes thedestination machine, the new software components 1333 b, 1335 f, and1337 c are being utilized.

The process for sending a delta patch file 1291 described with respectto FIGS. 12 and 13 may be cumulatively repeated, and thus may furtherapply to additional software stack versions that need to be applied to adestination machine 800. Following the description of FIG. 13, anadditional delta patch file may be received at the destination machine800 that includes an additional software stack version, such as version3.0. The newly received delta patch file, with associated task sequenceand metadata catalog, allows for the software stack of the destinationmachine 800 to be changed to version 3.0. As such, a sequential chain ofmultiple delta patch files may be maintained in the logically protectedregion 851 of the hard drive 821 of the destination machine 800, eachproviding updates to the previous version in the chain. Althoughdescribed as implementation of newer software stack versions, occasionsmay arise where it is desirous to revert back to a previous version ofthe software stack once operational on the destination machine 800. Thefollowing provides such an example situation.

Having loaded a new version 3.0 of a software stack 931 on a destinationmachine 800, a problem with the newly installed software component thatwas part of the version 3.0 upgrade may arise. For example, a securitypatch included as part of the version 3.0 software may cause a secondaryproblem not previously known or identified by an entity. For example,the newly installed software component associated with a cash scanningdevice for reading cash deposited by a user may have a problem where itdoes not recognize a certain denomination of bill, such as a $2 U.S.dollar bill.

An entity operating the destination machine may not have had this issuewith a previous version of the software stack. As such, it may bedesirous for an entity to change the version of the software stackoperational on the destination machine back to a previous version of thesoftware stack that is known to have been operational. In such asituation, a new file may be sent to the destination machine that isonly a task sequence for installation. In such a case, the new tasksequence may be instructions for cleaning out the hard drive 821, butfor the logically protected region 851, and loading an older version ofthe software stack, such as version 1.0 or version 2.0, as thecurrent/operative software stack 931 for the destination machine.

In loading the new software stack, the task sequence also may includeinstructions for loading other software components of version 3.0 thatdid not have errors associated with their implementation. As such, theresultant software stack 931 of the destination machine 800 may includea modified version of software stack 3.0 where the error prone softwarecomponent is not installed. By utilizing various delta patch files andvarious task sequences, the software stack of a destination machine maybe changed in any of a number of different manners, including modifiedversions of the software stack received from a reference machine.

FIG. 14 is an example flowchart of a method for installing a new versionof a software stack at a destination machine. The process starts and at1401, a delta patch file may be received by a destination machine. Asdescribed herein, the delta patch file may be delta patch file 1291 andthe destination machine may be destination machine 800 as described withrespect to FIGS. 12 and 13 above. Proceeding to 1403, the received deltapatch file may be combined with the previous image currently maintainedin a logically protected region of a hard drive of the destinationmachine, such as by applying a patch to the existing image that is afile-based disk image file, such as a WIM file, with the delta patchfile to create a new desired WIM file. XDelta may be utilized as oneproduct for combining the received delta patch file with the previousimage. This logically protected region may be logically protected region851 in hard drive 821 of destination machine 800 as previouslydescribed.

The delta patch file may represent changes to software components foruse in rebuilding the current software stack of the destination machine,a metadata catalog identifying, on a file by file basis, the correlationbetween a particular file as part of a software component and a version,and a task sequence for installation of a desired software stack on thedestination machine. The task sequence may be part of the delta patchfile or separate from the delta patch file. As described above, afterapplication of the received delta patch file, the image stored in thelogically protected region of the hard drive now may contain anadditional logical version of the software stack, e.g., if the imagecontained just version 1.0 of the software stack prior to application ofthe delta patch file, then it will contain both versions 1.0 and 2.0after application of the delta patch file. Repeating the process, if asubsequent delta patch file is distributed and applied, the image in theprotected region of the hard drive will now contain three versions ofthe software stack, e.g., versions 1.0, 2.0 and 3.0.

At 1405, the task sequence may be accessed to determine the instructionsfor changing the current software stack operating on the destinationmachine. As part of the instructions of the task sequence, thedestination machine may be rebooted into a memory (e.g., RAM)-residentoperating system in 1407, such as Win PE. By rebooting in thememory-resident operating system, in 1409, the hard drive of thedestination machine may be cleaned. The entire hard drive may be cleanedexcept for the logically protected region of the hard drive. Bycleaning/erasing the hard drive, but for the logically protected region,an entirely new software stack may be built on the destination machine.

Proceeding to 1411, a software stack may be built in the erased portionof the hard drive from the patched image stored in the logicallyprotected region of the hard drive based upon instructions in the tasksequence as to the version to build. For example, the patched image mayinclude multiple versions of a software stack. The task sequenceinstructions may indicate to build version 2.0 that is included in thepatched image. As such, version 2.0 of the software stack may be builtas the software stack of the destination machine. Proceeding to 1413,the instructions of the task sequence may instruct the destinationmachine to be rebooted into the newly-built operating system of thesoftware stack.

At this point, the software stack of the destination machine may beoperating under the specific version identified in the task sequence,such as version 2.0. In 1415, the task sequence may include additionalinstructions for de-installing any identified software component(s). Inupgrading to a version 3.0, for example, a determination may be made asto the software components common to version 2.0, currently inoperation, and version 3.0, the desired version to be loaded, as well asthe software components for version 3.0 only. Those software componentsfor version 3.0 only may be identified and, the corresponding softwarecomponents for version 2.0 may be de-installed in 1415. In 1417, theidentified software components for version 3.0 only may then bere-installed in place of the de-installed version 2.0 softwarecomponents. Following the flowchart of FIG. 14, the software stack ofthe destination machine may operate in accordance with the desiredversion, such as version 3.0. This de-installation of 1415 andreinstallation of 1417 of individual components that occurs duringincremental and cumulative updates is driven by the composition ofsoftware manifests. A delta patch file provides for the efficientdistribution of change and to allow for updating the image file on adestination machine.

In another example, a delta patch file may be generated for reducing thenumber of versions of a software stack maintained on destinationmachines. FIG. 24 illustrates an illustrative example for generating adelta patch file when there is a desire to reduce the number of versionsof a software stack currently maintained on a destination machine in thefield. Any of a number of reasons may exist for reducing one or moreversions of a software stack included in an image in a destinationmachine. In one example, a flaw in a version of the software stack thatwas previously distributed to the destination machine and saved in animage on the destination machine may be found and there may be a desireto completely remove the version from the destination machine. Anotherreason for reducing the number of versions stored at a destinationmachine may be due to limited data storage capacity at the destinationmachine. Thus, where some earlier versions of the software stack arelikely no longer needed, it may be desirable to free up storage space byremoving those earlier versions.

In FIG. 24, at 2401, a first image representative of a plurality ofsoftware stack versions may be generated and stored at reference machine700. At 2403, a second image representative of at least one and lessthan all of the plurality of software stacks represented by the firstimage may be generated and stored at the reference machine 700. Forexample, the first image may represent versions 1.0, 2.0, and 3.0 of asoftware stack, and the second image may represent versions 2.0 and 3.0of the software stack, but not version 1.0. In such an example, theremay be a desire to remove the version 1.0 of the software stack, such asto free up data storage space in the destination machine.

At 2405, the first image and the second image may be compared todetermine a difference between the second image and the first image. Thecomparison may be made by the reference machine, such as by using XDeltasoftware to perform binary delta differencing. Proceeding to 2407, adelta patch file may be generated as a result of the comparison, whichmay be representative of the difference between the second image and thefirst image. As part of the process of generating the delta patch file,a task sequence associated with the third file may be generated. Thetask sequence may include instructions for using the delta patch file tocreate an image identical to the second image on the destinationmachine.

In 2409, data representing the delta patch file may be recorded to acomputer-readable storage medium, such as an optical disc, a removablememory storage device such as a flash RAM device, or a hard driveassociated with the reference machine. Any of a number of differentcomputer-readable storage media may be utilized. As needed, in 2411, therecorded data representing the delta patch file may be read, and, in2413, the read data may be transmitted to a destination machine.

FIG. 25 is an example flowchart of a method for installing at adestination machine (e.g., SSFTD 100) the received delta patch filegenerated in connection with FIG. 24. In 2501, the delta patch file maybe received at the destination machine. In 2503, the received deltapatch file may be maintained with a previous image in the destinationmachine identical to the first image at the reference machine 700. Thereceived delta patch file and the previous image may be maintained in alogically protected region of a hard drive of the destination machine.Such a logically protected region may ensure that the content of thelogically protected region is not erased when the hard drive content ofthe destination machine is cleaned.

The received delta patch file may be processed by XDelta for thepurposes of applying a patch to the previously stored image file. Theprevious image may be maintained as a file-based disk image file, suchas a WIM file, and by utilizing XDelta as described herein, a newpatched image file may be maintained as a file-based disk image file,such as a WIM file in 2505. Thus, the new patched WIM file with fewersoftware stack versions may be maintained in the destination machine.The new patched image file may be maintained in the logically protectedregion of the hard drive of the destination machine. Referring to theabove example, where the previous image represents versions 1.0, 2.0,and 3.0 of a software stack and the new patched image representsversions 2.0 and 3.0 of the software stack, the resulting removal of theversion 1.0 of the software stack frees up data storage space in thedestination machine.

In yet another example, a delta patch file may be generated for bothremoving one or more previously stored versions of a software stackmaintained on destination machines and adding one or more new versionsof the software stack to the destination machines. FIG. 26 illustratesan example for generating a delta patch file when there is a desire toremove a previously stored version of a software stack currentlymaintained on a destination machine in the field and to add a newversion of the software stack. Any of a number of reasons may exist fora need to remove a previously stored version of a software stackincluded in an image in a destination machine while simultaneouslyadding a new version. In one example, a flaw in a previously storedversion of the software stack that was previously distributed to thedestination machine and saved in an image on the destination machine maybe found and there may be a desire to completely remove the version fromthe destination machine and add a new replacement version in its place.

In FIG. 26, at 2601, a first image representative of a plurality ofversions of a software stack may be generated and stored at referencemachine 700. At 2603, a second image representative of at least one andless than all of the plurality of versions of the software stack may begenerated and stored at the reference machine 700. In one example asshown in FIG. 28, the first image may represent versions 1.0, 2.0, and3.0 of a software stack (which would also be the image file currentlyexpected to be “in the field” at the target destination machine), andthe second image (a compound image removing version 1.0) may representversions 2.0 and 3.0 of the software stack. In such an example, theremay be a desire to remove the version 1.0 of the software stack to freeup memory space in the destination machine. Returning to FIG. 26, at2605, a third image representative of at least one new version of thesoftware stack may be generated and stored at the reference machine. Inexample shown in FIG. 28, the third image may be a compound image of animage of version 4.0 of the software stack and the second image, whichrepresents versions 2.0 and 3.0. The resulting third image would thusrepresent a plurality of versions of the software stack (specifically inthis case, versions 2.0, 3.0, and 4.0) as desired to be deployed to thetarget destination machine(s).

Referring again to FIG. 26, at 2607, the first image and the third imagemay be compared by the reference machine 700 to determine a differencebetween the third image and the first image. The comparison may be madeby the reference machine, such as by using XDelta software to performbinary delta differencing. Proceeding to 2609, a delta patch file may begenerated as a result of the comparing, which may be representative ofthe difference between the third image and the first image. As shown inFIG. 28, the generated delta patch file may include data representingthe removal of version 1.0 and the addition of version 4.0 to the imagestored on the destination machine in the field. As part of the processof generating the delta patch file, a task sequence associated with thedelta patch file may be generated. The task sequence may includeinstructions for using the delta patch file on the destination machineto generate the appropriate software stack.

In 2611 of FIG. 26, data representing the delta patch file may berecorded to a computer-readable storage medium, such as an optical disc,a removable memory storage device, such as a flash RAM device, or a harddrive associated with the reference machine. Any of a number ofdifferent computer-readable storage media may be utilized. As needed, in2613, the recorded data representing the delta patch file may be read,and, in 2615, the read data may be transmitted to a destination machine.

FIG. 27 is an example flowchart of a method for installing the deltapatch file created in connection with FIG. 26 at the destinationmachine. In 2701, the delta patch file is received at the destinationmachine. In 2703, the received delta patch file may be maintained with aprevious image in the destination machine. The received delta patch fileand the previous image may be maintained in a logically protected regionof a hard drive of the destination machine. Such a logically protectedregion may ensure that the content of the logically protected region isnot erased when the hard drive content at the destination machine iserased.

The received delta patch file may be processed by XDelta for thepurposes of applying a patch to the previously stored image file. Theprevious image may be maintained as a file-based disk image file, suchas a WIM file, and by utilizing XDelta as described herein, a newpatched image file may be maintained as a file-based disk image file,such as a WIM file. Thus, the new patched WIM file with one removedsoftware stack version and one added software stack version may bemaintained in the destination machine. The new patched image file may bemaintained in the logically protected region of the hard drive of thedestination machine. In one example, the previous image may includeversions 1.0, 2.0, and 3.0 of a software stack and the new patched imagemay include versions 2.0, 3.0, and 4.0 of the software stack, as shownin FIG. 28.

Generating Task Sequences and their Use in Propagating Reference StackUpdates

As has already been discussed, a current version of the reference stackmay be generated at reference machine 700, which may then be propagatedout to the SSFTDs in a number of different ways. To accomplish this, theSSFTDs will need not only the stack updates (e.g., in the form ofimages, delta patch files, and/or installer components, depending uponthe type of update), but also instructions as to how to make thoseupdates locally at the SSFTDs. The present section will discuss thoseinstructions, also referred to herein as task sequences, in greaterdetail. In addition, this section will discuss another task sequence,called herein a reference stack task sequence, for building thereference stack at reference machine 700. Moreover, as will bediscussed, any or all of these task sequences may be generated in anautomated manner to potentially reduce or even minimize humaninteraction (and the corresponding opportunities for human error). Thismay be desirable where updates occur frequently and providing a largesoftware update team to create the task sequences and build the updatedversions of the reference stack is simply not economical.

Returning again to a brief description of the software stack, thereference software stack on the reference machine (and subsequentlypropagated to and installed on the SSFTDs) may be a multilayeredcomposition comprising an operating system, a device management layer,an application layer, and miscellaneous software applications to supportmaintenance, software distribution, monitoring and security. It may beexpected that the service provider itself is not necessarily qualifiedto generate all of the software components that make up these layers,and/or it would not be efficient for the service provider itself togenerate the software components directly. Accordingly, it may beexpected that some or all of the software components may originate frommultiple different vendors. For example, a first vendor may providedevice management components (e.g., XFS) while a second vendor mayprovide components in the application layer.

The composition of a fully constituted software stack may be effectedusing, for example, the Microsoft Deployment Toolkit (MDT), toorchestrate the installation of each component on the target system. MDTprovides a graphical user interface (GUI) for creation and modificationof task sequences, but may not be well-suited to making large scalerepetitive updates such as those provided by the various vendors duringeach release cycle. Making those updates via a GUI may be simply tootime consuming and error prone. Instead, software deliveries from ourvendors may be accepted in a highly regularized format, and certain tasksequences may be programmatically created and/or updated in accordancewith those deliveries.

For instance, vendors may deliver three specific artifacts (e.g., in theform of data stored on a computer-readable medium) with every softwarerelease:

-   -   1) Software components—these may be delivered, for example, in        MSI (Microsoft Installer) installer files.    -   2) Documentation—this may characterize what is new with each        release and what is used to drive testing.    -   3) Manifests—these are documents that may describe the order in        which components should be installed, the commands used to carry        out the installation, and in some cases, expected environmental        preconditions such as which operating system services should be        started or stopped for the installation to proceed properly.

These artifacts may be processed so as to generate a task sequence forfully building the software stack on the reference machine from scratch.The task sequence may be a set of instructions, such ascomputer-readable instructions (e.g., XML format), and may be generatedmanually and/or automatically. This reference stack task sequence mayinclude instructions for installing each of a plurality of softwarecomponents, one by one, in a particular order into the software stack onthe reference machine.

The manifests, software installer components, and documentation may beused to programmatically generate the reference stack task sequence inthe following example manner. For each software component in the stack,the MDT development environment on the reference machine may track theassociated installer component, the associated application meta-datafile (which may be, e.g., an XML file), and the order in which thesoftware component should be installed relative to the other softwarecomponents. The following sequence of events may thus be executedprogrammatically to update a pre-existing reference stack task sequence(or for creating a new reference stack task sequence from scratch).

First, a validation check may be performed. The reference machine may beconfigured to programmatically iterate across each vendor-providedmanifest and compare the version number captured in the manifest withthe version number embedded in the accompanying MSI files. This isbecause version numbers are captured in two places and it is desirableto check that the versions are consistent.

Next, the MSI file may be copied to the MDT's file share inside a folderwith the same name as the component. Then, a programmatic update may bemade to the MDT's applications metadata file to capture applicationmetadata. Where a pre-existing reference stack task sequence is to beupdated, a comparison of that reference stack task sequence and themanifests may be performed, to determine the changes that need to bemade to the reference stack task sequence. Where a new reference stacktask sequence is to be created from scratch from the manifests, then thecomparison may be skipped.

If a new reference stack task sequence is to be created, then it iscreated based on the manifests. If a pre-existing reference stack tasksequence is to be updated, then based on the changes determined duringthe comparison, an update may be made to the reference stack tasksequence by modifying portions of the reference stack task sequence. Forinstance, where the component already exists, the update for thatcomponent may be made be “in-place.” Or, where the reference stack tasksequence (e.g., an XML file) contains more components that thosedescribed in each vendor provided manifest, the manifest processing mayfirst excise the relevant vendor instructions (thus deleting them fromthe task sequence) and then replace them with a new set, leaving allother instructions in place. Or, where additional components are to beadded, corresponding instructions from the manifests are added to thereference stack task sequence.

Once the reference stack task sequence has been generated, the referencemachine 700 may execute the reference stack task sequence to build thereference stack. The reference machine 700 may also store the tasksequence as data on a computer-readable medium.

Once the reference stack has been built, there are several ways ofpropagating the current software stack to the SSFTDs, depending upon thesignificance of the changes to the software stack as compared with theprevious version of the software stack, as well as the current state ofa given SSFTD. In general, the current software stack may be propagatedout to a given SSFTD in one of two ways: (1) sending an image of thefull software stack, or, as will be described further, sending a filerepresenting changes to the full software stack as compared with theprevious version of the software stack; and (2) sending the MSIinstallers for those software components that have been removed, added,or modified. Using the first method (sending image of software stack orfile of the changes), it may or may not be assumed that the target SSFTDalready has a viable image of the previous version of the softwarestack. Using the second method (sending the MSI installers of just theaffected components), it is assumed that the target SSFTD in fact has aviable image of the previous version of the software stack.

For each of the above two methods, a task sequence for use by the targetSSFTD may also be generated and sent to that SSFTD. That task sequenceinstructs the SSFTD how to use the image, file, or MSI installers beingprovided. Depending upon the propagation method used, there may be threetypes of such task sequences sent to the SSFTD: (A) a re-imaging tasksequence for instructing the SSFTD how to build a software stack usingthe image or file being sent; (B) an incremental task sequence forinstructing the SSFTD how to modify the existing software stack in theSSFTD using the MSI installers being sent; and (C) a cumulative tasksequence for instructing the SSFTD how to re-build its software stackfrom an existing image of the software stack and to then utilize the MSIinstallers. Thus, the re-imaging task sequence may be used with method(1) above, and the cumulative and incremental task sequences may be usedwith method (2) above.

Not only may the reference stack image for use by the reference machine700 be programmatically created from the manifests, but so may any tasksequences needed for the incremental update function and the cumulativeupdate function, for use by the SSFTDs.

For the incremental update task sequence, as with the reference stacktask sequence, the MDT environment may also be updated programmaticallywith reference to manifests. A difference in this case is that thedesired incremental task sequence is generated with reference to twodifferent sets of manifests—one representing the desired state of thereference software stack, and the other representing the state in whichthe reference software stack currently resides. Programmatic analysis ofthe two manifests (previous state versus desired state) may allow thedifferences thereof to be decomposed into three distinct categories:

-   -   a) Components that exist in the new set of manifests, but not        the old set of manifests. These are new components that will        need to be installed on the SSFTDs during the update.    -   b) Components that exist in the old set of manifests, but not in        the new set of manifests. These are components that will need to        be de-installed from the SSFTDs during the update.    -   c) Components that exist in both sets of manifests, although        with different version numbers of the components. These are        components that will need to have the old version de-installed,        and then the new version installed, on the SSFTDs during the        update.

This basic analysis yields two sets of components—those that need to bede-installed, and those that need to be installed. These two lists maybe further processed so that the incremental task sequence file isupdated to execute the de-installations first (taking care to do so inthe reverse order they are expressed in the previous-state manifests),then executing the installations in the order they are expressed in thedesired-state manifests.

For the cumulative update task sequence, this is a task sequence that isa hybrid sequence that first re-images the SSFTD to a known softwarestack version, using an image that has been previously deployed to theSSFTD, and then updates the SSFTD incrementally in the same manner asthe incremental update task sequence, again using installer componentsthat have either been previously deployed or are sent along with thecumulative update task sequence.

The basic analysis is very similar to that used to generate theincremental update task sequence. In particular, the creation isperformed by comparing the manifests that characterize the desiredsoftware revision level and generating a set of instructions thatde-install, and then install, software components. The logistics ofdetermining what components are de-installed and installed areessentially the same as described above with regard to the incrementalupdate task sequence. There is a difference, however, in that thecumulative update task sequence also handles installing and configuringthe base stack image prior to performing the incremental updatefunction.

An example of how these task sequences are generated and propagated tothe SSFTDs in connection with the two methods of stack propagation willbe described in connection with FIG. 4. In block 401, the referencemachine 700 generates the reference stack task sequence for building thereference stack, as discussed above, and in block 402, the referencesoftware stack is built at the reference machine 700 using the referencestack task sequence, as described previously.

In block 403, the reference machine determines how to propagate the mostrecent version of the reference software stack to an SSFTD. Thisdetermination may be based on, for example, the current state of theSSFTD software stack and/or on how significant/large the changes are tothe reference software stack as compared with the previous version ofthe reference software stack. Depending upon the decision in block 403,the process follows one of the following paths: blocks 404-405-406-407(re-imaging path), or blocks 408-409-410 (cumulative update path), orblocks 411-412-413 (incremental update path).

If the re-imaging path is chosen, then in block 404, the full imageand/or a delta patch file is created from the reference stack byreference machine 700, as discussed in detail elsewhere in the presentdisclosure. Next, in block 405, a re-imaging task sequence is generated(such as by the programmatic/automatic creation discussed elsewhereherein) that instructs the SSFTD how to utilize the sent full stackimage or delta patch file. In block 406, the task sequence and therelevant image or file are sent to the SSFTD. In block 407, the SSFTDstored the task sequence and image or file in the logically protectedarea of its hard drive, and uses the task sequence to generate and/orupdate the stack located on the hard drive of the SSFTD.

If the incremental update path is chosen, then in block 411 anincremental update task sequence is created (such as by theprogrammatic/automatic creation discussed elsewhere herein) thatinstructs the SSFTD how to use certain installer components. Then, inblock 412, the task sequence and installer components are sent to theSSFTD. In block 413, the SSFTD stores the task sequence and installercomponents in the logically protected region of its hard drive, and usesthe task sequence to update the stack located on the hard drive of theSSFTD.

FIG. 20 is an example flowchart of a method for installing a new versionof a software stack at a destination machine by the incremental updateprocess, in accordance with the incremental update task sequence. Theprocess starts and at 2001, one or more new software components may bereceived by a destination machine. Proceeding to 2003, the received oneor more software components may be maintained with a previous imagecurrently maintained in a logically protected region of a hard drive ofthe destination machine. This logically protected region may belogically protected region 851 in hard drive 821 of destination machine800 as previously described. The one or more software components may beused in rebuilding the current software stack of the destinationmachine. The incremental update task sequence for installation of adesired software stack on the destination machine may also be included.

At 2005, the incremental update task sequence may be accessed todetermine the instructions for changing the current software stackoperating on the destination machine. In 2007, the task sequence mayinclude additional instructions for de-installing any identifiedsoftware component(s) in the current software stack of the destinationmachine. In 2009, the one or more identified software components maythen be re-installed in place of the de-installed software components.Following the flowchart of FIG. 20, the software stack of thedestination machine may operate in accordance with the desired version.

Returning to FIG. 4, if the cumulative update path is alternativelychosen, then in block 408 a cumulative update task sequence is created(such as by the programmatic/automatic creation discussed elsewhereherein) that instructs the SSFTD how to use rebuild the stack from astored image and to update that image using certain installercomponents. Then, in block 409, the task sequence, and the installercomponents and/or image as needed are sent to the SSFTD. In block 410,the SSFTD stores the task sequence, and if sent, the image and/orinstaller components, in the logically protected region of its harddrive, and uses the task sequence to update the stack located on thehard drive of the SSFTD.

FIG. 21 is an example flowchart of a method for installing a new versionof a software stack at a destination machine by the cumulative updateprocess. The process starts and at 2101, one or more new softwarecomponents may be received by a destination machine. Proceeding to 2103,the received one or more software components may be maintained with aprevious image currently maintained in a logically protected region of ahard drive of the destination machine. This logically protected regionmay be logically protected region 851 in hard drive 821 of destinationmachine 800 as previously described. The one or more software componentsmay be used in rebuilding the current software stack of the destinationmachine. The cumulative update task sequence for installation of adesired software stack on the destination machine may also be included.

At 2105, the cumulative update task sequence may be accessed todetermine the instructions for changing the current software stackoperating on the destination machine. As part of the instructions of thetask sequence, the destination machine may be rebooted into aRAM-resident operating system in 2107. By rebooting in the RAM-residentoperating system, in 2109, the hard drive of the destination machine maybe cleaned. The entire hard drive may be cleaned except for thelogically protected region of the hard drive. By cleaning/erasing thehard drive, but for the logically protected region, an entirely newsoftware stack may be built on the destination machine.

Proceeding to 2111, a software stack may be built in the erased portionof the hard drive from the previous image stored in the logicallyprotected region of the hard drive based upon instructions in the tasksequence as to the version to build. For example, the previous image mayinclude multiple versions of a software stack. The task sequenceinstruction may indicate to build version 2.0 that is included in theprevious image. As such, version 2.0 of the software stack may be builtas the software stack of the destination machine. Proceeding to 2113,the instructions of the task sequence may instruct the destinationmachine to be rebooted into the newly-built operating system of thesoftware stack.

At this point, the software stack of the destination machine may beoperating under the specific version identified in the task sequence,such as version 2.0. In 2115, the task sequence may include additionalinstructions for de-installing any identified software component(s). In2117, the one or more identified software components may then bere-installed in place of the de-installed software components. Followingthe flowchart of FIG. 21, the software stack of the destination machinemay operate in accordance with the desired version.

FIG. 5 shows an alternative implementation, in which the three types oftask sequences sent to the SSFTD may be combined into a single tasksequence with different logical starting points for implementing there-imaging, incremental update, and cumulative update functions. In thisexample, block 501 is identical to block 401, and block 502 is identicalto block 402. Next, in block 503, a complete task sequence, includingthe re-imaging, incremental, and cumulative update functions, iscreated. Alternatively, a task sequence including only two of thesefunctions may be created.

Next, block step 504, it is determined how to propagate any changes tothe reference stack to the SSFTDs. Thus, in block 504, the referencemachine, for example, determines whether the changes should bepropagated as a re-imaging, as an incremental update, or as a cumulativeupdate. In block 505, any full stack image or delta patch file isgenerated as needed, and in block 506 the appropriate task sequence andfile and/or installer components are sent to the SSFTD.

Depending upon the decision in block 504, the process moves to eitherblocks 507, 508, or 509. If the decision is to re-image, then in block507 the SSFTD begins executing the task sequence at a first start pointto perform the re-imaging function described herein. If the decision isto perform a cumulative update, then the SSFTD begins executing the tasksequence at a different second start point to perform the cumulativeupdate function. If the decision is to perform an incremental update,then the SSFTD begins executing the task sequence at yet a differentthird start point to perform the incremental update function. Thus, inblock 506, an indication of the type of update to be performed, and/oran indication of the proper starting point in the task sequence, mayalso be sent to the SSFTD.

FIG. 6 shows an example of a combined task sequence as discussed in FIG.5. The task sequence has instructions for performing various functions601-607 in a particular order, such as the order shown. If the tasksequence is begun at the first start point, then in this example theinstructions for performing the functions of blocks601-602-603-604-605-606-607 are performed in sequence. If the tasksequence is begun at the second start point, then in this example theinstructions for performing the functions of blocks602-603-604-605-606-607 are performed in sequence. If the task sequenceis begun at the third start point, then in this example the instructionsfor performing the functions of blocks 606-607 are performed insequence.

In this example, the instructions may be as follows. The task sequencemay include instructions (block 601) at the first start point(re-imaging start point) for combining the received delta file, if anywith the image already stored in the logically-protected region. Thetask sequence may further include instructions (block 602) at the secondstart point (cumulative update start point) for rebooting the SSFTD intoa RAM-resident operating system that may be stored in thelogically-protected region. Next, the task sequence may includeinstructions (block 603) for erasing some or all of the hard driveexcept for the logically-protected region. Next, the task sequence mayinclude instructions (block 604) for building the stack in the erasedportion of the hard drive from the image stored in thelogically-protected region.

Next, the task sequence may include instructions (block 605) forrebooting the SSFTD into the operating system of the newly-built stackin the formerly erased portion of the hard drive. Next, the tasksequence may include instructions (block 606) at the third start point(incremental update start point) for de-installing any components in thestack identified as needing to be removed for the update. Next, the tasksequence may include instructions (block 607) for installing anycomponents to the stack identified as being needed for the update.

Local Provisioning of SSFTD Updates

The occasion may occur where the ability to change a software stack of adestination machine remotely via network 112 may not be desirable orpossible. For example, situations arise where a destination machine mustbe serviced locally by a technician. Any of a number of reasons canoccur for such a circumstance. For example, the network interface 108 orhard drive 102 may not be working properly, and thus the SSFTD may notbe responsive to propagation attempts by the reference machine 700 vianetwork 112. Or, the service technician may visit the SSFTD to repairthe display 105, key pad 107, etc. Any of these or a number of otherreasons may warrant the need for a technician to be physically presentat the SSFTD. Under such circumstances, a technician on site may be ableto install a new image of a desired software stack physically on thedestination machine. In such a case, time and resources for downloadinga new image remotely can be removed since the technician may load a newimage on site.

For example, after completing other necessary repairs on the SSFTD, thetechnician may transfer an image (such as image 891) to destinationmachine 800 (e.g., SSFTD 100) from the removable computer-readablemedium 111, such as a compact disc or USB memory stick, using theremovable media interface 109. In this situation, there may arise theproblem that the version of the image on the computer-readable medium111 is not current, up-to-date, or otherwise appropriate for the SSFTDhe or she plans to load the image onto. A safeguard may be desired toensure that a technician does not load an unauthorized image into thelogically protected region of the hard drive of the SSFTD.

FIG. 15 illustrates an example system for authorizing an image stored ona removable memory source in accordance with one or more aspects of thepresent disclosure. FIG. 15 illustrates an example where a technicianpresently at a destination machine 1501 (e.g., one of SSFTDs 100A-C) mayattempt to load an image stored on a removable memory source 1509 into alogically protected region 1505 of the destination machine 1501. Any ofa number of different removable memory sources 1509 or other removablecomputer-readable media may be utilized including a USB memory stick, acompact disc (CD), and/or other portable memory source. A technician mayattempt to load an image stored on portable memory source 1509 via aconnection port 1507 on the destination machine 1501. Connection portmay be coupled to or part of removable media interface 109. Aconventional USB port is one form of connection port 1507 that may beutilized to act as a conduit for transfer between a portable memorysource 1509 and a destination machine 1501.

In attempting to load an image stored on the portable memory source 1509onto the logically protected region 1505 of the destination machine1501, a confirmation of authorization to load the image may beperformed. Destination machine 1501 may be configured to access anexternal server 1551. Such access to server 1551 may be through one ormore networks 1531 (such as network 112), and external server 1551 maybe controlled by and/or located at service provider 201. Upon accessingthe server 1551, the destination machine 1501 may be configured toprovide identification information, such as a serial numberidentification and/or IP address of the destination machine 1501 and arequest for identification of authorized version(s) of images.

With some form of identification of the destination machine 1501, server1551 may identify the one or more versions of images that thedestination machine 1501 is authorized to maintain. To accomplish this,server 1551 may include or have access to a database to determine, forthe particular destination machine 1501 in question, which version(s) ofimages is the destination machine authorized to maintain. Such adatabase may be updated as new authorized version(s) of images areidentified.

In response to the request for identification of authorized version(s)of images that may be loaded into the logically protected region 1505 ofthe destination machine 1501, server 1551 may be configured to sendidentification of the authorized version(s) to the destination machine1501. Such an identification of authorized version(s) may be anindication that destination machine may load versions 2.0, 3.0, 4.0.With the identified authorized version(s), destination machine 1501 maysearch the content of the portable memory source 1509 for one or more ofthe authorized version(s) of images.

If the portable memory source 1509 includes one or more of theauthorized versions of images, one or more of the authorized versions ifimages may be copied from the portable memory source to the logicallyprotected region 1505 of the hard drive of the destination machine 1501.If the destination machine 1501 determines that no authorized version ofan image exists on the portable memory source 1509, the technician maybe prompted that load of a new image is not authorized and/or that thetechnician should seek a new portable memory source or new images forthe portable memory source. Such a prompting may occur via a display1503 at the destination machine 1501. Thus, any unauthorized imageversion is prevented from being loaded by the destination machine fromthe portable memory source.

FIG. 16 is an example flowchart of a method for authorizing loading of anew version of a software stack image onto a destination machine. Theprocess starts and at 1601, a technician present at the destinationmachine inserts a removable memory source into the destination machinevia a connection port. The removable memory may be memory 1509, thedestination machine may be destination machine 1501, and the connectionport may be connection port 1507 from FIG. 15. At 1603, whether enteredby the technician or determined by the destination machine, thedestination machine may send identification of the destination machineto an external server. Such identification may include a serial numberand/or an IP address associated with the destination machine.

At 1605, the external server may determine the one or more version(s) ofimages that the destination machine is authorized to load onto itslogically protected region. Such a server may be server 1551 andlogically protected region may be logically protected region 1505 inFIG. 15. Proceeding to 1607, the external server may send identificationof the authorized version(s) of images to the destination machine. In1609, the destination machine may search for the one or more authorizedversion(s) of images on the removable memory source inserted by thetechnician in 1601.

A determination then may be made at 1611 as to whether one or more ofthe authorized version(s) of images are present on the removable memorysource. If no authorized version is found, at 1613, the technician maybe prompted that no authorized versions of images exist on the insertedremovable memory source. If no authorized version of an image is foundon the removable memory source, no image on the removable memory sourcecan be loaded onto the logically protected region of the destinationmachine. Returning to 1611, if one or more authorized versions of imagesis found on the removable memory source, at 1615, the one or moreauthorized versions of images may be copied form the removable memorysource to the logically protected region of the destination machine foreventual loading of a software stack on the destination machine.

FIG. 17 illustrates an example system for loading an image from aremovable memory source onto a destination machine in accordance withone or more aspects of the present disclosure. The process shown in FIG.17 may be a continuation from 1613 in FIG. 16 where a technician hasbeen prompted that her attempt to load an image from a removable memorysource is not authorized. In FIG. 17, the technician may have received aprompt from destination machine 1751 that no authorized version of animage exists on removable memory source 1721. In response, thetechnician may access a different destination machine 1701 on the sameor a different network that already maintains one or more of theauthorized versions of images that the destination machine 1751 mayload.

At different destination machine 1701, the technician may insert theremovable memory source 1721 into the destination machine 1701 via aconnection port 1705. Having connected, the technician may copy one ormore authorized versions of images from the logically protected region1703 of the destination machine 1701 to the portable memory source 1721.As such, the technician has been able to acquire one or more newversions of images onto her portable memory source 1721 from thedifferent destination machine 1701. With the one or more authorizedversions of images on the portable memory stick 1721, the technician mayreturn to the first destination machine 1751, insert the portable memorysource 1721 into the destination machine 1751 via connection port 1755,and load the one or more authorized versions of images from the portablememory source 1721 to the logically protected region 1753 of thedestination machine 1751.

FIG. 18 is an example flowchart of a method for loading an image from aremovable memory source onto a destination machine. The process startsand at 1801, a technician present at the destination machine inserts aremovable memory source into the destination machine via a connectionport. At 1803, the technician may be prompted that no authorizedversions of images exist on the removable memory source. At 1805, thetechnician may be prompted of the physically nearest differentdestination machine with at least one authorized version of an image.This determination may be based on, for example, the information storedin the database accessible by the server 1551, which may indicate theversion of the stack in each SSFTD in the network. The process may thenproceed to 1807.

As indicated, at 1807, the technician may insert her removable memorysource into a connection port on the different destination machine.Proceeding to 1809, the different destination machine may copy, onto theportable memory source, one or more versions of images that the firstdestination machine is authorized to maintain in its logically protectedregion. With the portable memory source now storing one or moreauthorized versions of images, the technician may return to the firstdestination machine that prompted her of no authorized versions in 1803.

As in 1801, at 1811, the technician present at the destination machineinserts her removable memory source into the destination machine via theconnection port. With the one or more authorized versions of imagespresent on the portable memory source, at 1813, the destination machinemay load the one or more authorized versions of images from the portablememory source to the logically protected region of the hard drive of thedestination machine.

FIG. 19 is an example flowchart of a method for accessing a current tasksequence for a destination machine to execute in accordance with one ormore aspects of the present disclosure. The process starts and at 1901,a technician present at the destination machine inserts a removablememory source into the destination machine via a connection port. At1903, the destination machine may load one or more authorized versionsof images from the portable memory source to a logically protectedregion of a hard drive of the destination machine.

In determining how to execute creation of a software stack from theloaded images, in 1905, the destination machine may be configured toaccess an external server to request a current task sequence forexecution at the destination machine. For example, the loaded image atthe destination machine may include a task sequence that is currentlyout of date or no longer used. As such, although the image of thesoftware components for the software stack in the loaded image is goodto use, the associated task sequence may not be. In accessing anexternal server to request a current task sequence for execution at thedestination machine, such a request may include an identification of thedestination machine, such as a model number or serial number. In anotherexample, such a request may include an identification of the tasksequence identified in one or more of the loaded images. As such, such arequest may be with respect to the destination machine itself and/or maybe to the loaded images. Proceeding to 1907, the external server may beconfigured to identify the current task sequence for implementation bythe destination machine. In response, at 1909, the external server maysend data representative of the current task sequence to the destinationmachine. In one example, the data representative of the current tasksequence is the current task sequence for execution by the destinationmachine. In another example, the data representative of the current tasksequence may be a version number or some other identifier of the currenttask sequence.

Moving to 1911, the destination machine may execute the current tasksequence received for the external server in accordance with the one ormore authorized versions of images maintained in the logically protectedregion of the destination machine. In addition, at 1913, the currenttask sequence received form the external server may be copied to theremovable memory source of the technician. As such, the technician maynow maintain a current authorized version of an image and a current tasksequence for implementing installation of the software stack on theimage.

In another example embodiment, a technician may update task sequencedata for a plurality of images, even if not utilized and/or authorizedfor the destination machine that the technician has connected theremovable memory source to. For example, after connecting a removablememory source, the destination machine may identify at least oneunauthorized version of the image of the software stack that is on theremovable memory source. While accessing an external server to request acurrent task sequence for execution at the destination machine, anotherrequest may be made for a current task sequence for execution of the atleast one unauthorized version of the image of the software stack. Then,the destination machine may receive data representative of the currenttask sequence for execution of at least one unauthorized version of theimage of the software stack. Finally, the destination machine may recordthe data representing the current task sequence for execution of atleast one unauthorized version of the image of the software stack to theremovable memory source. As such, the destination machine may beutilized for updating task sequences of unauthorized versions of theimage for a technician to use on other destination machines without thedestination machine having access to the unauthorized version of theimage of the software stack.

Prohibiting Remote Viewing of SSFTD Transactions

When an SSFTD is being remotely interacted with by service provider 201,such as by updating the software stack or obtaining bulk transactioninformation, it may sometimes be possible for service provider 201 toobserve details of a transaction that is in progress during theattempted remote interaction. In many cases this may be undesirable. Forinstance, where the SSFTDs are ATMs, there may be regulations or otherpolicies that prohibit observing details of a deposit or withdrawaltransaction in progress by a user of the machine.

As discussed previously, service provider 201 may be an entity that isresponsible for the software maintenance of SSFTDs 100A-C. Serviceprovider 201 may be, for example a bank or other financial institution,or it may be purely a software maintenance entity, and may desire toelectronically and remotely interact with one or more of the SSFTDs vianetwork 110 or via a direct communication. For example, service provider201, which may itself include or be a computer such as reference machine700, may attempt to download data from one or more of the SSFTDs 100concerning transactions that have already taken place, or may attempt toupgrade the software on one or more of the SSFTDs 100. Regardless of thetype of remote interaction, it may further be desirable that anyinteraction not make it easier for someone located at service provider201 to have access to information concerning an ongoing localtransaction such as a monetary deposit or withdrawal.

To accomplish this, the system may perform a method such as that shownin FIG. 22, which is a flow chart showing illustrative steps in aprocess that may be performed to prohibit remote observation of atransaction in progress. In this example method, the remote transactiondesired by service provider 201 is blocked if there is an ongoing localtransaction, and allowed only after the local transaction is terminated.In the following example, it will be assumed that service provider 201is interacting with SSFTD 100-A. Also, it will be assumed that allcommunications between service provider 201 and SSFTD 100-A aretransferred via network 110. However, communications between serviceprovider 201 and SSFTD 100-A may be by other means, such as via a directcommunication wired line and/or wireless link.

In block 2201, service provider 201 attempts to open a remote controlsession with SSFTD 100-A. This may involve a handshaking routine betweena computer of service provider 201 and SSFTD 100-A. Next, in block 2202,service provider 201 and/or SSFTD 100-A verify whether there is acustomer local to SSFTD 100-A (e.g., a person physically using SSFTD100-A) involved in a local transaction. This may involve, for instance,service provider 201 querying SSFTD 100-A for local transaction status.Alternatively, the query may be implied by the existence of the sessionopening in block 2201. In either case, in block 2203 SSFTD 100-A mayverify the local transaction status, and in block 2204 may return thestatus as either an absence of a transaction or as a transaction inprogress. The determination of the transaction status in blocks 2203 and2204 may be performed, for example, in accordance with self-serviceapplication software executing on computer 101. Using such software,computer 101 may have knowledge of the status based on the state ofcustomer interaction software executing on computer 101.

If the transaction status is that a transaction is in progress, then atblock 2205 the remote control session is denied, terminated, or placedin a hold state. If the remote control session is placed in a holdstate, then SSFTD 100-A may periodically execute block 2204 until it isdetermined that the transaction is no longer in progress (i.e., thatthere is now an absence of transaction). Alternatively, the sessionattempt may terminate and a new remote control session may need to berequested at block 2201.

As an example of how this might work, assume that a user of SSFTD 100-Ais presently depositing money into his or her account. The deposittransaction may be defined as starting and terminating at any points,however in this example it will be assumed that the transaction beginswith the first user input to SSFTD 100-A (e.g., inserting an ATM card)and ends with SSFTD 100-A providing its last communication to the userspecific to the transaction (e.g., printing out a statement of thetransaction using printer 106 or returning the ATM card).

If the transaction status is an absence of transaction, then at block2206, SSFTD 100-A may lock out any further local transactions inpreparation for further remote interaction with service provider 201.This may be performed, for example, by computer 101 of SSFTD 100-Aplacing the software in a state that temporarily prevents input by auser such as input via key pad 107 and deposit unit 103. In addition,computer 101 may cause a message to be displayed on display 105indicating that SSFTD 100-A is temporarily unavailable.

Next, at block 2207, computer 101 may establish (e.g., acknowledgeand/or complete the handshaking routine) the remote control session withservice provider 201, in order to allow service provider 201 to gainremote control functionality of SSFTD 100-A. As discussed previously,such remote control functionality may include, for example, extractingtransaction or other data from SSFTD 100-A, or modifying the softwareoperating on SSFTD 100-A. Again during these remote control activities,no further local transactions may be conducted due to the lockout stillin effect when applied at block 2206).

Once the desired remote control activities are completed, such as may beindicated by service provider 201 or per a timeout delay, the remotecontrol session is terminated in block 2208. Then, in block 2209, thelockout is removed such that local transactions may once again beperformed at SSFTD 100-A.

CONCLUSION

While various illustrative embodiments are specifically shown anddescribed, it will be understood by those skilled in the art that thepresent disclosure is not limited to these embodiments. Modificationsmay be made by those skilled in the art, particularly in light of theforegoing teachings. For example, each of the elements of theaforementioned described embodiments may be utilized alone or incombination or subcombination with elements of the other embodiments. Itwill therefore be appreciated and understood that such modifications maybe made without departing from the true spirit and scope of the presentdisclosure. The description herein is thus to be regarded asillustrative, rather than as restrictive, of the present disclosure.

1. A method comprising: loading, by a first computer, datarepresentative of an image of a software stack from a removablecomputer-readable storage medium; requesting, from the first computer toa second computer, a task sequence of instructions for installing thedata representative of the image of the software stack at the firstcomputer; receiving, at the first computer, the task sequence; andaccessing, at the first computer, the task sequence to retrieve theinstructions for installing the data representative of the image at thefirst computer.
 2. The method of claim 1, wherein the datarepresentative of the image is loaded to a logically protected region ofthe first computer.
 3. The method of claim 1, further comprisingrecording, by the first computer to the removable computer-readablestorage medium, the task sequence.
 4. The method of claim 1, furthercomprising identifying, at the first computer, connection of theremovable computer-readable storage medium to the first computer.
 5. Themethod of claim 1, further comprising: identifying, by the firstcomputer, a second task sequence maintained on the removablecomputer-readable storage medium; and determining if the second tasksequence is the task sequence.
 6. The method of claim 1, wherein therequesting the task sequence includes an identification of the firstcomputer.
 7. The method of claim 1, further comprising: receiving datarepresentative of at least one other current task sequence for adifferent computer; and recording, by the first computer to theremovable computer-readable storage medium, data representing the atleast one other current task sequence.
 8. The method of claim 1, furthercomprising: identifying data representative of at least one unauthorizedversion of the image of the software stack on the removablecomputer-readable storage medium; requesting a current task sequence forexecution of the data representative of the at least one unauthorizedversion of the image of the software stack; receiving datarepresentative of the current task sequence for execution of the datarepresentative of the at least one unauthorized version of the image ofthe software stack; and recording, by the first computer to theremovable computer-readable storage medium, data representing thecurrent task sequence for execution of the data representative of the atleast one unauthorized version of the image of the software stack. 9.The method of claim 1, wherein the data representative of the image isan image.
 10. A method comprising: loading, by a first computer, datarepresentative of an image of a software stack from a removablecomputer-readable storage medium; identifying, by the first computer, atask sequence maintained on the removable computer-readable storagemedium; requesting, from the first computer to a second computer, datarepresentative of a current task sequence of instructions for installingthe data representative of the image of the software stack at the firstcomputer; receiving, at the first computer, data representative of thecurrent task sequence; and determining if the identified task sequenceis the current task sequence.
 11. The method of claim 10, wherein thedata representative of the current task sequence is the current tasksequence.
 12. The method of claim 10, responsive to determining theidentified task sequence is the current task sequence, accessing, at thefirst computer, the task sequence to retrieve the instructions forinstalling the data representative of the image at the first computer.13. The method of claim 10, responsive to determining the identifiedtask sequence is not the current task sequence, recording, by the firstcomputer to the removable computer-readable storage medium, the currenttask sequence.
 14. The method of claim 10, wherein the datarepresentative of the image is loaded to a logically protected region ofthe first computer.
 15. One or more computer-readable media storingcomputer-readable instructions that, when executed by at least onecomputer, cause the at least one computer to perform a method of:loading, by a first computer, data representative of an image of asoftware stack from a removable computer-readable storage medium;requesting, from the first computer to a second computer, a tasksequence of instructions for installing the data representative of theimage of the software stack at the first computer; receiving, at thefirst computer, the task sequence; and accessing, at the first computer,the task sequence to retrieve the instructions for installing the datarepresentative of the image at the first computer.
 16. The one or morecomputer-readable media of claim 15, wherein the requesting the tasksequence includes an identification of the first computer.
 17. The oneor more computer-readable media of claim 15, the method furthercomprising recording, by the first computer to the removablecomputer-readable storage medium, the task sequence.
 18. The one or morecomputer-readable media of claim 15, the method further comprising:identifying data representative of at least one unauthorized version ofthe image of the software stack on the removable computer-readablestorage medium; requesting a current task sequence for execution of thedata representative of the at least one unauthorized version of theimage of the software stack; receiving data representative of thecurrent task sequence for execution of the data representative of the atleast one unauthorized version of the image of the software stack; andrecording, by the first computer to the removable computer-readablestorage medium, data representing the current task sequence forexecution of the data representative of the at least one unauthorizedversion of the image of the software stack.
 19. One or morecomputer-readable media storing computer-readable instructions that,when executed by at least one computer, cause the at least one computerto perform a method of: loading, by a first computer, datarepresentative of an image of a software stack from a removablecomputer-readable storage medium; identifying, by the first computer, atask sequence maintained on the removable computer-readable storagemedium; requesting, from the first computer to a second computer, datarepresentative of a current task sequence of instructions for installingthe data representative of the image of the software stack at the firstcomputer; receiving, at the first computer, data representative of thecurrent task sequence; and determining if the identified task sequenceis the current task sequence.
 20. The one or more computer-readablemedia of claim 19, wherein the data representative of the current tasksequence is the current task sequence.
 21. The one or morecomputer-readable media of claim 19, responsive to determining theidentified task sequence is the current task sequence, the methodfurther comprising accessing, at the first computer, the task sequenceto retrieve the instructions for installing the data representative ofthe image at the first computer.